COPPA and Children's Privacy: What Parents Should Know and Do

Aug 20, 2020, 09:00 AM by BBB National Programs

As a parent, it can be difficult to keep up with all the ways your child uses technology. From board books to iPads, weekend cartoons to YouTube, even traditional schooling has had to adapt to online classes. Trying to stay on top of what your child is watching, what ads they are seeing, and what is happening with their data can be overwhelming, but understanding COPPA, the Children’s Online Privacy Protection Act, can help.  

COPPA was passed in 1998 with the goal of putting control over the online collection of children’s personal information into the hands of parents. This legislation regulates how online services like websites and mobile apps collect, use, and share personal information from children under 13. COPPA also gives the Federal Trade Commission (FTC) the power to enforce the law, usually by issuing fines to online services that are not compliant. 

 

What is personal information? 

 

COPPA helps protect a child’s personal information, which is the information that identifies that you are you.  

 

Some personal information is obvious. Other information is collected without you seeing it happen. 
  • First and last name 

  • Home or other physical address (street name and name of a city or town) 

  • Online contact information (such as an email address; anything that permits a child to be contacted online) 

  • Screen or username (when it functions as online contact information) 

  • Telephone number 

  • Social Security number 

 

  • Persistent identifier that can be used to recognize a user over time and across different websites or online services. Persistent identifiers include, but are not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier 

  • A photograph, video, or audio file containing a child's image or voice 

  • Geolocation information sufficient to identify street name and name of a city or town; (or precise location) 

  • Any information about the child or the parents of that child that the operator collects online from the child and combines with any other personal information as outlined above 

 

Child-Directed, Notice, and Verifiable Parental Consent 

 

COPPA protects a child’s personal information for “child-directed” content. “Child-directed” is a term that means an online service is targeted exclusively or in part to children. For example, a gaming website that only provides games made for young children could be child-directed, but so could a gaming website that provides games made for both young children and teens.  

On these websites, platforms, and in these child-directed apps, COPPA applies.  

By contrast, general audience online services are not targeted to children at all, even though some children may still visit the site. If a website or app seems to be general audience rather than child-directed, the service may not have COPPA protections in place for children’s personal information.  

For example, most social media services like Instagram, SnapChat, and Twitter don’t allow children under 13 to be on their service and state that in their Terms of Service. As a result of requiring that all users be over the age of 13, there are no extra privacy protections for children that these social media services are obligated to provide.  

So as a parent, if you want to assess the online service or app that your child is using, step one is to check out the Terms of Service to see whether children should be using the service at all.  

When the FTC reviews an app, website, or other online service to determine if it should be considered child-directed content or not, here are some of the factors that are being taken into consideration: 

  • Subject matter that is likely intended for children, such as youth arts and crafts or toys and games. 

  • Visual content, for example bright colors or cartoons. 

  • Use of animated characters or child-oriented activities/incentives, like coloring. 

  • Music or other audio content that appeals to children, like the ABC song. 

  • Age of models on the service or platform. If a website depicts only children using their product or playing their games, that may be a good indicator the website is targeted to children. 

  • Presence of child celebrities/celebrities that appeal to children, such as a character from a popular children’s TV show, like Elmo. 

  • Language and other characteristics of the online service, such as using simple words, shorter sentences, and large text to make it easily accessible to children. 

  • Advertising placement promoting the service. For example, if a gaming app places an ad during children’s daytime programming on TV, that app is targeting children.  

 

Content creators across platforms, whether creating content for an advertisement or a video for YouTube, should be taking the above criteria into consideration when creating their content and determining where it will be placed online.   

Once a platform, website, or other online service is identified as “child-directed,” COPPA requires that that service or platform take three steps: 

  1. Include a notice that describes how they collect, use, and disclose children’s personal information that they have collected through use of the service. This notice can typically be found in the online service’s privacy policy; some services even have a separate privacy policy that is dedicated to explaining how they handle children’s information.

  2. Online services also must provide a direct notice to the parent or guardian that explains the same information, which is usually sent via email when a child signs up for the service. The direct notice should be sent to you even if the service does not collect or use the child’s personal information.

  3. In addition to providing notice, an online service must get your consent via a verifiable method before they can collect, use, or share any of your child’s personal information. This is called verifiable parental consent, or VPC.  


How will online services ask for this? Some services directed to children only collect persistent identifiers (such as cookies) to use in their internal operations, such as serving contextual ads on their site or performing site analytics and maintenance. In that case, if they are not collecting other types of personal information or sharing it with third parties for external uses, the service may ask your child for your email address. Then, they send you an email with a confirmation link or similar way to “activate” your child’s account. The FTC refers to this as the “email plus” method of consent.  

Sometimes online services directed to children collect other personal information or share it with third parties for behavioral advertising and other uses. In those circumstances, they can obtain VPC by asking the parent to call a toll-free number, videoconference with staff, sign and return a consent form, or by entering a credit or debit card to confirm you really are the child’s parent/guardian. 

The purpose of VPC is so that parents can be informed of the privacy and data practices of the online services their child is using, as well as how you can contact the site to review their children’s data or have the data deleted. 

 

If You See Something, Say Something  

 

Now that you know more about COPPA, what can you do if you notice something fishy about a service your child is using? If there is anything about the advertising or privacy practices on a child-directed site that you think doesn’t follow COPPA, you can file a complaint with us at CARU here, or by emailing us at infocaru@bbbnp.org. The complaint goes directly to CARU staff who will investigate the complaint and take necessary steps to make sure the issue is rectified.  

Other Blog Articles

Blog

Defining 'Child-Directed' and Addressing New Technology: Discussing COPPA Updates at CARU 2020

On September 22, the 2020 CARU Conference kicked off the Fall Series with a keynote from the Federal Trade Commission’s (FTC)'s Peder Magee, and Phyllis Marcus, a Partner at Huton Andrews Kurth and one of the original authors of the Children's Online Privacy Protection Act (COPPA).
Read more
Blog

What Parents Need to Know About Mobile App and Device Permissions

If there is one thing most parents know, it’s that Kids. Love. Apps. But how do you determine what apps are "safe" for your child to download? If you want to evaluate an app to determine how safe your child’s data will be if they use it, let's start by understanding the permissions the app asks for.
Read more
Blog

Schrems II: What Do Privacy Shield Businesses Need to Know?

The July 16 decision from the CJEU, known as Schrems II, addressed two mechanisms for transferring EU individuals’ personal data outside the EU. As the situation continues to develop, and before making changes to their practices around international data transfers, businesses should pause to review their data flows, contracts, and substantive commitments, and their current chain of compliance and accountability for data received from the EU.
Read more
Blog

CARU’s Summer Series Wrap-Up: The Need-to-Know Takeaways from our Expert Speakers

Now at the halfway point of the CARU Conference 2020, it seems like a good time to reflect on the four sessions of the Summer Series that are under our belt and the key takeaways from our expert speakers.
Read more